Rule: EFS Access Points Should Enforce a Root Directory
This rule ensures that EFS access points enforce a root directory for foundational security.
| Rule | EFS access points should enforce a root directory |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
EFS Access Points Root Directory Enforcement
Rule Description
In order to adhere to AWS Foundational Security Best Practices, it is recommended to enforce a root directory for Amazon Elastic File System (EFS) access points. This rule ensures that client applications accessing the EFS file system can only operate within a specific root directory, preventing unauthorized access to sensitive data.
Rule Implementation
To enforce a root directory for EFS access points, you can follow these steps:
- 1.Access the AWS Management Console and navigate to the EFS service.
- 2.Select the appropriate file system for which you want to enforce the root directory.
- 3.Click on the "Access points" tab.
- 4.Select the relevant access point or create a new one.
- 5.Under the "Root directory" section, choose the option for "Path" and specify the desired root directory.
- 6.Save the access point configuration.
Troubleshooting Steps
If you encounter any issues or errors while trying to enforce the root directory for EFS access points, you can try the following troubleshooting steps:
- 1.Ensure that you have the necessary permissions to modify EFS access points. Check your IAM user or role permissions and make sure they include the necessary actions for managing EFS access points.
- 2.Verify that the selected file system supports access points. Some older EFS file systems may not have access point capability. If needed, migrate to a supported file system.
- 3.Double-check the provided path for the root directory. Ensure that it is a valid path within the file system and exists.
- 4.If you are encountering errors during access point creation or modification, review the AWS CloudTrail logs for any relevant error messages and investigate accordingly.
- 5.Consider reaching out to AWS support if the troubleshooting steps above do not resolve the issue.
Sample Code
The required change can be made using the AWS Command Line Interface (AWS CLI) as well. Use the following command to configure the root directory for an EFS access point: aws efs put-access-point-configuration --access-point-id <access-point-id> --root-directory "Path=<root-directory>" Replace <access-point-id> with the ID of the access point you want to configure and <root-directory> with the desired root directory path. Note: Ensure that you have the AWS CLI properly set up and configured with the necessary credentials to execute this command.
Remediation Steps
To enforce a root directory for an EFS access point using the AWS CLI, follow these steps:
- 1.Open a terminal or command prompt.
- 2.Run the following command, replacing
with the ID of the access point and<access-point-id>
with the desired root directory path:<root-directory>
aws efs put-access-point-configuration --access-point-id <access-point-id> --root-directory "Path=<root-directory>"
For example:
aws efs put-access-point-configuration --access-point-id fsap-0123456789abcdef0 --root-directory "Path=/root"
- 1.Verify the successful modification of the access point configuration by checking the output response for any error messages.
- 2.Repeat the steps for each relevant access point that requires a root directory enforcement.
By following these steps, you can successfully enforce a root directory for EFS access points, improving security and compliance with AWS Foundational Security Best Practices.